Differences From:

File src/tktsetup.c part of check-in [ac3f1f2ba7] - Improvements to how ticket changes are displayed in the UI. The hyperlink is show with strick-through if the ticket is closed. The title is shown after the ticket hyperlink. SQL to determine the closed condition and the title can be set in the ticket setup screens. by drh on 2008-10-18 02:27:13. [view]

To:

File src/tktsetup.c part of check-in [0be54823ba] - Add defenses against cross-site request forgery attacks. by drh on 2008-10-18 12:55:44. [view]

@@ -120,13 +120,15 @@
     z = db_get(zDbField, (char*)zDfltValue);
   }
   style_header("Edit %s", zTitle);
   if( P("clear")!=0 ){
+    login_verify_csrf_secret();
     db_unset(zDbField, 0);
     if( xRebuild ) xRebuild();
     z = zDfltValue;
   }else if( isSubmit ){
     char *zErr = 0;
+    login_verify_csrf_secret();
     if( xText && (zErr = xText(z))!=0 ){
       @ <p><font color="red"><b>ERROR: %h(zErr)</b></font></p>
     }else{
       db_set(zDbField, z, 0);
@@ -134,8 +136,9 @@
       cgi_redirect("tktsetup");
     }
   }
   @ <form action="%s(g.zBaseURL)/%s(g.zPath)" method="POST">
+  login_insert_csrf_secret();
   @ <p>%s(zDesc)</p>
   @ <textarea name="x" rows="%d(height)" cols="80">%h(z)</textarea>
   @ <blockquote>
   @ <input type="submit" name="submit" value="Apply Changes">
@@ -635,8 +638,9 @@
   }
   style_header("Ticket Display On Timelines");
   db_begin_transaction();
   @ <form action="%s(g.zBaseURL)/tktsetup_timeline" method="POST">
+  login_insert_csrf_secret();
 
   @ <hr>
   entry_attribute("Ticket Title", 40, "ticket-title-expr", "t", "title");
   @ <p>An SQL expression in a query against the TICKET table that will